Windows installer bundled OpenSSL executes code from unprotected directory

When the database server or libpq client library initializes SSL, libeay32.dll attempts to read configuration from a hard-coded directory. Typically, the directory does not exist, but any local user could create it and inject configuration. This configuration can direct OpenSSL to load and execute arbitrary code as the user running a PostgreSQL server or client.

Most PostgreSQL client tools and libraries use libpq, and one can encounter this vulnerability by using any of them. This vulnerability is much like CVE-2019-5443, but it originated independently. One can work around the vulnerability by setting environment variable OPENSSL_CONF to "NUL:/openssl.cnf" or any other name that cannot exist as a file.

The PostgreSQL project thanks Daniel Gustafsson of the curl security team for reporting this problem.

Version Information

Affected Version Fixed In Fix Published
11 11.5 Aug. 8, 2019
10 10.10 Aug. 8, 2019
9.6 9.6.15 Aug. 8, 2019
9.5 9.5.19 Aug. 8, 2019
9.4 9.4.24 Aug. 8, 2019

For more information about PostgreSQL versioning, please visit the versioning page.

CVSS 3.0

Overall Score 7.8
Component packaging
Vector AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Reporting Security Vulnerabilities

If you wish to report a new security vulnerability in PostgreSQL, please send an email to

For reporting non-security bugs, please see the Report a Bug page.